The following Fedora EPEL 8 Security updates need testing: Age URL 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-9b4f4b88ff exim-4.98.2-1.el8 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-7f793012aa yarnpkg-1.22.22-7.el8 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-ed542e7452 perl-Data-Entropy-0.008-1.el8 The following builds have been pushed to Fedora EPEL 8 updates-testing perl-Data-Float-0.015-1.el8 squidclamav-7.4-1.el8 xorgxrdp-0.10.4-1.el8 xrdp-0.10.3-1.el8 zabbix6.0-6.0.39-1.el8 zabbix7.0-7.0.11-1.el8 Details about builds: ================================================================================ perl-Data-Float-0.015-1.el8 (FEDORA-EPEL-2025-823469b322) Details of the floating point data type -------------------------------------------------------------------------------- Update Information: This release corrects a documentation. This release updates a docuemntation. We deliver it mainly to provide an up-to- date version string. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 2 2025 Petr Pisar <ppisar@xxxxxxxxxx> - 0.015-1 - 0.015 bump * Mon Mar 31 2025 Petr Pisar <ppisar@xxxxxxxxxx> - 0.014-1 - 0.014 bump -------------------------------------------------------------------------------- References: [ 1 ] Bug #2355807 - perl-Data-Float-0.014 is available https://bugzilla.redhat.com/show_bug.cgi?id=2355807 [ 2 ] Bug #2356927 - perl-Data-Float-0.015 is available https://bugzilla.redhat.com/show_bug.cgi?id=2356927 -------------------------------------------------------------------------------- ================================================================================ squidclamav-7.4-1.el8 (FEDORA-EPEL-2025-2a1d4eaabc) HTTP Antivirus for Squid based on ClamAv and the ICAP protocol -------------------------------------------------------------------------------- Update Information: Update to 7.4. -------------------------------------------------------------------------------- ChangeLog: * Sun Mar 30 2025 Frank Crawford <frank@xxxxxxxxxxxxxxxxxx> - 7.4-1 - Update to 7.4. * Sun Jan 26 2025 Frank Crawford <frank@xxxxxxxxxxxxxxxxxx> - 7.3-6 - Patch for GCC15 issues - BZ2341381. * Sun Jan 19 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 7.3-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Sat Jul 20 2024 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 7.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild * Sat Jan 27 2024 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 7.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Thu Nov 23 2023 Simone Caronni <negativo17@xxxxxxxxx> - 7.3-2 - Fix dependencies for el7. -------------------------------------------------------------------------------- ================================================================================ xorgxrdp-0.10.4-1.el8 (FEDORA-EPEL-2025-3a4b087a8e) Implementation of xrdp backend as Xorg modules -------------------------------------------------------------------------------- Update Information: Release notes for xrdp v0.10.3 (2025/03/30) General announcements If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome. Experimental support for utmp/wtmp file is provided in this release. If you use this, be aware that these files are only updated when an xrdp session is created or destroyed. Disconnections and reconnections to the same session are not tracked. In particular:- the FROM address for a client (as shown by the w command) reflects the IP address of the client at the time of creation, and not the address of the currently connected client. Sessions started by the xrdp-sesrun command do not have a FROM address. Security fixes None New features The number of threads assigned to the x264 encoder can now be configured (#3366 #3367) The colon in a share name passed from the client can be replaced with another character (#3389) Experimental support for utmp/wtmp is backported from devel. Thanks to @mlewissmith for this contribution. Add Hungarian keyboard (#3424 #3430) Improved keyboard fallback logic for xorgxrdp results in better support for some keyboard variants (e.g. Brazil ABNT2) #3478 A new session type (Xvnc over Unix Domain Socket) has been added. Although intended primarily for Enterprise FIPS installations which use the Xvnc backend, this can be used with TigerVNC on any platform to improve security (#3453) Bug fixes Fix potential memory leaks (#3380 #3388) Documentation fixes (#3403) Various Coverity warnings have been addressed (#3411 #3423) xrdp now copes with a mis-installed openh264 encoder (#3405 #3432) Bug #2518 which affects FIPS-compliant Enterprise installations can be addressed by using the new 'Xvnc over UDS' session type (#3453) FreeBSD: xrdp now avoids creating sessions with the same display number as forwarded X session over ssh (#3381 #3456) Internal changes FreeBSD CI bumped to 14.2 (#3427) Changes for users None Changes for packagers or developers The config file subdirectory (xrdp part of /etc/xrdp) can now be configured (#3369) Packagers using TigerVNC to provide the Xvnc backend may wish to configure the 'Xvnc over UDS' session type as a default by using a code=1 line in xrdp.ini. Instructions are provided in the released xrdp.ini file. Release notes for xorgxrdp v0.10.4 (2025/03/30) General announcements Power Up Privacy and Cybertrust Japan sponsored H.264 encoding. We greatly appreciate the sponsorship. Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed. Security fixes None New features None Bug fixes None Internal changes The dixGetDisplayName() function is used to access the display name where available (#367) FreeBSD CI testing is now performed (#379) autoconf version is changed from 2.65 to 2.69 (#378) Known issues None Changes for packagers or developers This version is intended to be used together with xrdp v0.10.3 or later. Please build against xrdp v0.10.3 and provide both xrdp v0.10.3 and xorgxrdp v0.10.4 at the same time. -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 1 2025 Bojan Smojver <bojan@xxxxxxxxxxxxx> - 0.10.4-1 - Bump up to 0.10.4 * Sun Jan 19 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 0.10.3-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2356074 - xorgxrdp-0.10.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2356074 -------------------------------------------------------------------------------- ================================================================================ xrdp-0.10.3-1.el8 (FEDORA-EPEL-2025-3a4b087a8e) Open source remote desktop protocol (RDP) server -------------------------------------------------------------------------------- Update Information: Release notes for xrdp v0.10.3 (2025/03/30) General announcements If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome. Experimental support for utmp/wtmp file is provided in this release. If you use this, be aware that these files are only updated when an xrdp session is created or destroyed. Disconnections and reconnections to the same session are not tracked. In particular:- the FROM address for a client (as shown by the w command) reflects the IP address of the client at the time of creation, and not the address of the currently connected client. Sessions started by the xrdp-sesrun command do not have a FROM address. Security fixes None New features The number of threads assigned to the x264 encoder can now be configured (#3366 #3367) The colon in a share name passed from the client can be replaced with another character (#3389) Experimental support for utmp/wtmp is backported from devel. Thanks to @mlewissmith for this contribution. Add Hungarian keyboard (#3424 #3430) Improved keyboard fallback logic for xorgxrdp results in better support for some keyboard variants (e.g. Brazil ABNT2) #3478 A new session type (Xvnc over Unix Domain Socket) has been added. Although intended primarily for Enterprise FIPS installations which use the Xvnc backend, this can be used with TigerVNC on any platform to improve security (#3453) Bug fixes Fix potential memory leaks (#3380 #3388) Documentation fixes (#3403) Various Coverity warnings have been addressed (#3411 #3423) xrdp now copes with a mis-installed openh264 encoder (#3405 #3432) Bug #2518 which affects FIPS-compliant Enterprise installations can be addressed by using the new 'Xvnc over UDS' session type (#3453) FreeBSD: xrdp now avoids creating sessions with the same display number as forwarded X session over ssh (#3381 #3456) Internal changes FreeBSD CI bumped to 14.2 (#3427) Changes for users None Changes for packagers or developers The config file subdirectory (xrdp part of /etc/xrdp) can now be configured (#3369) Packagers using TigerVNC to provide the Xvnc backend may wish to configure the 'Xvnc over UDS' session type as a default by using a code=1 line in xrdp.ini. Instructions are provided in the released xrdp.ini file. Release notes for xorgxrdp v0.10.4 (2025/03/30) General announcements Power Up Privacy and Cybertrust Japan sponsored H.264 encoding. We greatly appreciate the sponsorship. Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed. Security fixes None New features None Bug fixes None Internal changes The dixGetDisplayName() function is used to access the display name where available (#367) FreeBSD CI testing is now performed (#379) autoconf version is changed from 2.65 to 2.69 (#378) Known issues None Changes for packagers or developers This version is intended to be used together with xrdp v0.10.3 or later. Please build against xrdp v0.10.3 and provide both xrdp v0.10.3 and xorgxrdp v0.10.4 at the same time. -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 1 2025 Bojan Smojver <bojan@xxxxxxxxxxxxx> - 1:0.10.3-1 - Update to 0.10.3 - Enable Xvnc over Unix domain socket * Wed Mar 26 2025 Bojan Smojver <bojan@xxxxxxxxxxxxx> - 1:0.10.2-13 - Rebuild for noopenh264 2.6.0, once more * Thu Mar 13 2025 Fabio Valentini <decathorpe@xxxxxxxxx> - 1:0.10.2-12 - Rebuild for noopenh264 2.6.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2356074 - xorgxrdp-0.10.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2356074 -------------------------------------------------------------------------------- ================================================================================ zabbix6.0-6.0.39-1.el8 (FEDORA-EPEL-2025-77875be662) Open-source monitoring solution for your IT infrastructure -------------------------------------------------------------------------------- Update Information: Update to 6.0.39 CVE-2024-45700, CVE-2024-36469, CVE-2024-42325, CVE-2024-45699 Fix selinux module name in uninstall scriptlet -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 2 2025 Orion Poplawski <orion@xxxxxxxx> - 6.0.39-1 - Update to 6.0.39 (CVE-2024-45700) * Thu Jan 30 2025 Orion Poplawski <orion@xxxxxxxx> - 6.0.38-1 - Update to 6.0.38 (CVE-2024-36469, CVE-2024-42325, CVE-2024-45699) - Fix selinux module name in uninstall scriptlet -------------------------------------------------------------------------------- References: [ 1 ] Bug #2356856 - CVE-2024-36469 zabbix6.0: User enumeration via timing attack in Zabbix web interface [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356856 [ 2 ] Bug #2356864 - CVE-2024-42325 zabbix6.0: Excessive information returned by user.get [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356864 [ 3 ] Bug #2356871 - CVE-2024-45700 zabbix6.0: DoS vulnerability due to uncontrolled resource exhaustion [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356871 [ 4 ] Bug #2356878 - CVE-2024-45699 zabbix6.0: Reflected XSS vulnerability in /zabbix.php?action=export.valuemaps [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356878 -------------------------------------------------------------------------------- ================================================================================ zabbix7.0-7.0.11-1.el8 (FEDORA-EPEL-2025-01e745cb85) Open-source monitoring solution for your IT infrastructure -------------------------------------------------------------------------------- Update Information: Update to 7.0.11 CVE-2024-36465, CVE-2024-36469, CVE-2024-42325, CVE-2024-45699, CVE-2024-45700 Re-install SELinux module in %%posttrans to address "upgrade" from zabbixA.B to zabbixX.Y in one transaction -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 2 2025 Orion Poplawski <orion@xxxxxxxx> - 7.0.11-1 - Update to 7.0.11 (CVE-2024-45700) * Tue Feb 18 2025 Orion Poplawski <orion@xxxxxxxx> - 7.0.9-2 - Re-install SELinux module in %posttrans to address "upgrade" from zabbixA.B to zabbixX.Y in one transaction * Wed Jan 29 2025 Orion Poplawski <orion@xxxxxxxx> - 7.0.9-1 - Update to 7.0.9 (CVE-2024-36465, CVE-2024-36469, CVE-2024-42325, CVE-2024-45699) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2356852 - CVE-2024-36465 zabbix7.0: SQL injection in Zabbix API [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356852 [ 2 ] Bug #2356853 - CVE-2024-36465 zabbix7.0: SQL injection in Zabbix API [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2356853 [ 3 ] Bug #2356857 - CVE-2024-36469 zabbix7.0: User enumeration via timing attack in Zabbix web interface [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356857 [ 4 ] Bug #2356859 - CVE-2024-36469 zabbix7.0: User enumeration via timing attack in Zabbix web interface [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2356859 [ 5 ] Bug #2356865 - CVE-2024-42325 zabbix7.0: Excessive information returned by user.get [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356865 [ 6 ] Bug #2356867 - CVE-2024-42325 zabbix7.0: Excessive information returned by user.get [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2356867 [ 7 ] Bug #2356872 - CVE-2024-45700 zabbix7.0: DoS vulnerability due to uncontrolled resource exhaustion [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356872 [ 8 ] Bug #2356874 - CVE-2024-45700 zabbix7.0: DoS vulnerability due to uncontrolled resource exhaustion [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2356874 [ 9 ] Bug #2356879 - CVE-2024-45699 zabbix7.0: Reflected XSS vulnerability in /zabbix.php?action=export.valuemaps [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2356879 [ 10 ] Bug #2356881 - CVE-2024-45699 zabbix7.0: Reflected XSS vulnerability in /zabbix.php?action=export.valuemaps [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2356881 -------------------------------------------------------------------------------- -- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
